Two proposed changes to blaze-html (xhtml support, don't escape ') #48
Conversation
Argument: The only context in which ' needs to be escaped is inside a single-quoted attribute value. Since blaze-html uses double quotes around attribute values, it should never need to escape '.
* Modified Util/GenerateHtmlCombinators to generate these automatically. * HtmlVariant now includes a selfClosing field; if True, leaf tags will be self-closed. * Modified cabal file to include the new modules in exported modules.
|
Hi John, making blaze-html usable for pandoc is important to me. However, I'm not sure about dropping the escaping of singlequotes. Is it disallowed in XHTML? I'd rather be on the safe side, than weaken the security guarantees given by HTML code generated blaze-html. We used the following information about cross-site scripting as a template for choosing the escaping. best regards, PS: If we change the escaping, then I'll also have to adapt blaze-builder accordingly. That's no problem. It's more a note that I have to do it :-) |
|
Simon, I didn't have to make any changes to blaze-builder to change the It's true that putting unescaped user input inside a single-quoted for example, this would be bad in ruby: "bad" because if the user passed in "dog's", you'd get: <a href='dog's'>bad and who knows how a browser might interpret that. However, in blaze-html, you always use double quotes around attributes. So I That said, the single quote escaping is not as big an issue for me Best, +++ Simon Meier [Dec 18 11 12:22 ]:
|
|
I think John's point is valid, but I'd rather be 100% sure. Perhaps we should throw a mail to the Haskell web-devel list to see if they can think of any security concerns? |
|
+++ Jasper Van der Jeugt [Dec 18 11 13:41 ]:
That's a good idea. |
|
@jgm, I've cherry-picked the XHTML patch. This has already been put on Hackage as 0.4.3.0. I'm planning on integrating the other patch as well, as there seem to be no security concerns. However, there is a small problem: some of the escaping code (more specifically, for the UTF-8 renderer) is indeed located in the Now, it would seem like a good idea to move this module from |
|
@jaspervdj why don't you just use your own modified copy of that function in the new version of blaze-html? This way users of blaze-builder get the existing behavior and you have the freedom to change the escaping. This would result in the least surprises, I think. In the near future, the second patch to bytestring will also be completed and accepted. This patch will provide a safe means to define such escaping functions directly. The blaze-builder package will become obsolete and replaced with a stub reexporting the bytestring builder functions. |
|
+++ Jasper Van der Jeugt [Dec 20 11 01:08 ]:
Thank you! Let me know when the escaping patch is integrated, and |
|
I see that |
|
I admit I had forgotten this issue. I'll fix it next week (leaving on a small trip tomorrow). |
|
Great! No urgency on this end; I'm working around it for now. +++ Jasper Van der Jeugt [Sep 28 12 07:51 ]:
|
|
BTW: I'm working on porting blaze-markup over to the new bytestring builder. I suggest we address this issue after this port, as it allows to also handle the fast UTF-8 path properly; i.e., using primitive encodings to implement the attribute and the standard HTML escaping. |
I wrote Jasper an email about these issues earlier. You can consider these concrete proposals. Perhaps both are controversial. The two changes are completely independent:
(1) Don't escape ' (justification in commit).
(2) Added modules for XHtml1.Strict, Transitional, and FrameSet. These use the same tags and attributes as the corresponding Html modules. The only differences are that leaf nodes are self-closed, and a different doctype is used.
These changes would allow me to use blaze-html for pandoc's output.